Creates a login policy.
SyntaxCREATE LOGIN POLICY policy-name policy-optionspolicy options : policy-option [ policy-option ... ]
policy-option :
policy-option-name = policy-option-valuepolicy-option-value :
{ UNLIMITED | legal-option-value } Parameterspolicy-name The name of the login policy.
policy-option-name The name of the login policy option.
policy-option-value The value assigned to the login policy option. If you specify UNLIMITED, no limits are imposed.
| Policy-option-name | Description | Default value | Applies to: |
|---|---|---|---|
| auto_unlock_time | The time period after which locked accounts are automatically unlocked. | Unlimited | All users except those with the MANAGE ANY USER system privilege |
| change_password_dual_control |
When the value for this option is ON, setting the password requires two administrators. The setting for the verify_password_function option is ignored if this option is set to ON because the password is configured separately in two parts. No verification is performed. |
OFF | All users |
| ldap_primary_server | The name of the primary LDAP server. | (none) | All users |
| ldap_secondary_server | The name of the secondary LDAP server. | (none) | All users |
| ldap_auto_failback_period | The time period in minutes after which automatic failback to primary server is attempted. | 15 minutes | All users |
| ldap_failover_to_std | Whether to permit authentication with Standard authentication when authentication with the LDAP server fails due to failure to locate the Distinguished Name (DN) for a user, lack of system resources, network outage, connection timeouts, or similar system failures. This setting does not permit an actual authentication failure returned from an LDAP server to fail over to Standard authentication (as is the case when the user is located but the supplied password does not match). | ON | All users |
| ldap_refresh_dn |
At the time this policy option is specified by a CREATE LOGIN POLICY or ALTER LOGIN POLICY statement, the current time value is stored with the login policy. This value is the timestamp against which user authentication compares the user_dn_cached_at value found for the user in ISYSUSER. If the value in the policy is newer than the user_dn_cached_at value in ISYSUSER, a search for a user's Distinguished Name (DN) is done to refresh the user_dn value in ISYSUSER. The value NOW is the only valid value to assign to this policy option. All others result in an error. The value is in Coordinated Universal Time (UTC) and is stored as a string in the server default format. |
(none) | All users |
| locked | If the value for this option is ON, users are not allowed to establish new connections. The reason_locked column of the sa_get_user_status system procedure returns a string generated by the database server that shows why a user is locked. | OFF | All users except those with the MANAGE ANY USER system privilege |
| max_connections | The maximum number of concurrent connections allowed for a user. | Unlimited |
All users except those with the SERVER OPERATOR or DROP CONNECTION system privilege |
| max_failed_login_attempts | The maximum number of failed attempts since the last successful attempt to log in before the user is locked. Users with SYS_AUTH_DBA_ROLE compatibility role are unlocked after one minute has passed since the most recent failed login attempt. | Unlimited | |
| max_days_since_login | The maximum number of days that can elapse between two successive logins by the same user. | Unlimited | All users except those with the MANAGE ANY USER system privilege |
| max_non_dba_connections | The maximum number of concurrent connections that users can make. This option is only supported in the root login policy. | Unlimited |
All users except those with the SERVER OPERATOR or DROP CONNECTION system privilege |
| password_life_time | The maximum number of days before a password must be changed. | Unlimited | All users |
| password_grace_time | The number of days before the password expires during which login is allowed, but the default post_login procedure issues warnings. | 0 | All users |
| password_expiry_on_next_login | If the value for this option is ON, the user's password expires after the next login. | OFF | All users |
| root_auto_unlock_time | The time period after which locked accounts are automatically unlocked. This option is only supported in the root login policy. | 1 minute | Users with the MANAGE ANY USER system privilege |
RemarksIf you do not specify a policy option, values for this login policy are taken from the root login policy. New policies do not inherit the MAX_NON_DBA_CONNECTIONS and ROOT_AUTO_UNLOCK_TIME policy options.
All new databases include a root login policy. You can modify the root login policy values, but you cannot delete the policy. An overview of the default values for the root login policy is provided in the table above.
PrivilegesYou must have the MANAGE ANY LOGIN POLICY system privilege.
Side effectsNone.
See also Standards and compatibilitySQL/2008 Vendor extension.
ExamplesThe following example creates the Test1 login policy. This example has an unlimited password life and allows the user a maximum of 5 attempts to enter a correct password before the account is locked.
CREATE LOGIN POLICY Test1 PASSWORD_LIFE_TIME=UNLIMITED MAX_FAILED_LOGIN_ATTEMPTS=5; |
The following example shows typical settings for a new login policy (ldap_user_policy) that uses LDAP user authentication. Both a primary and a secondary server configuration object (which would have been previously created) are specified to allow failover to the secondary LDAP server, and the ability to failover to standard authentication is allowed when system resources, network resources, or, both primary and secondary LDAP servers are unresponsive. This example provides a combination of authentication options that permits responsiveness with cached values when an LDAP server cannot keep up with incoming requests. This example assumes that the login_mode database option includes 'Standard'. You cannot paste and run this example, since the primary and secondary servers mentioned in the example are fictitious.
CREATE LOGIN POLICY ldap_user_policy LDAP_PRIMARY_SERVER=ldapsrv1 LDAP_SECONDARY_SERVER=ldapsrv2 LDAP_FAILOVER_TO_STD=ON; |
 |
Discuter à propos de cette page dans DocCommentXchange.
|
Copyright © 2013, SAP AG ou société affiliée SAP - SAP Sybase SQL Anywhere 16.0 |